Privacy Policy

Introduction

At Innovate ADHD Ltd, we are committed to safeguarding your personal data. As a specialist healthcare provider handling sensitive information, we follow the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Common Law Duty of Confidentiality.

In everything we do, we observe the seven data-protection principles set out in Article 5 UK GDPR:

• Lawfulness, fairness & transparency – we always have a lawful basis for processing, treat you fairly, and explain clearly what we do with your information.
• Purpose limitation – we collect data only for specific, legitimate purposes and do not use it for anything incompatible with those purposes.
• Data minimisation – we gather only the information that is relevant and necessary for your care and our obligations.
• Accuracy – we keep your information accurate and up to date, correcting it promptly when notified of changes or errors.
• Storage limitation – we retain data only for as long as needed to meet clinical, legal, and regulatory requirements.
• Integrity & confidentiality (security) – we protect your data with appropriate technical and organisational measures against unauthorised access, loss, or damage.
• Accountability – we take responsibility for complying with these principles and can demonstrate our compliance through policies, training, audit logs, and ongoing review.

This privacy notice explains how we collect, use, protect, and share your information, the rights you have, and the steps you can take if you have any concerns.

Who We Are

Innovate ADHD Ltd is a private provider of online ADHD assessments and related healthcare services.

Regulatory Compliance

We are registered with the Information Commissioner's Office (ICO) as a data controller, with documentation renewed annually. This registration demonstrates our commitment to information governance and regulatory standards.

Accessibility

This privacy notice is available in alternative formats or languages upon request. Please contact us if you require this information in a different format to meet your needs.

Data Collection Scope

We process the following categories of personal information:

• Personal identifiers: Full name, date of birth, residential address, and contact information.
• Clinical data: Medical history, clinical assessments, diagnoses, treatment plans, medication records, and details of healthcare professionals involved in your care.
• Administrative information: Appointment schedules, billing and financial transactions, and correspondence related to your treatment.
• Technical data: Information collected when you use our digital services, such as IP address and device details, solely for service optimisation and security.
• "Lifestyle information you volunteer" (sleep, diet, employment) gathered during ADHD assessments.
• Transcriptions or Audio/video recordings of tele-consultations.

We collect most information directly from you. With your permission, we may also obtain data from other healthcare professionals involved in your care.

We strictly adhere to the principle of data minimisation, processing only information essential for healthcare delivery and service administration.

Information Sources

• Directly from you: When you use our services, communicate with us, or participate in service improvement initiatives.
• From referring clinicians or healthcare organisations: If you are referred to us, we may receive relevant information through formal referral processes.
• From technical interactions: When you use our online services.

Legal Framework for Processing

We process your personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Common Law Duty of Confidentiality

Our lawful bases for processing are:

• For private patients: Article 6(1)(b) – necessary for the performance of a contract.
• For special category (health) data: Article 9(2)(h) – necessary for the provision of health or social care.
• Consent: For specific communications or sharing with third parties, we rely on your explicit consent.
• Legal obligations: To comply with statutory or regulatory requirements, including CQC inspections and safeguarding obligations.

Data Utilisation

We use your information to:

• Deliver safe and effective clinical care
• Plan and coordinate your treatment
• Manage appointments and communications
• Maintain clinical records and documentation
• Administer billing and payments
• Monitor and improve service quality

When possible, we use pseudonymisation or anonymisation to protect your identity.

Automated Decision-Making: We do not use automated decision-making processes for clinical care or decisions that have a significant effect on you.

Information Sharing Protocols

• Internal access: Only staff who need your information to perform their duties can access it. Clinical staff access full records; administrative staff access only necessary details.
• With other healthcare professionals: To coordinate your care, with your consent.
• With the CQC: As a regulated provider, we are legally required to allow the Care Quality Commission (CQC) access to relevant patient records during inspections. We maintain an audit trail of any such access and inform patients, where practical, if their records have been accessed by CQC.
• With third-party service providers: Only under formal agreements with strict confidentiality and data protection obligations.
• No commercial use: We never sell or share your information with marketing or commercial entities.
• In the rare event that our electronic systems are unavailable, we have secure manual processes to ensure continuity of care and data protection.
• For service users who may lack capacity, we act in accordance with the Mental Capacity Act 2005 and always consider their best interests when processing personal information.

External Sharing

We share your information only when we have a valid legal basis, which may be:

• your explicit consent,
• a legal obligation,
• the performance of our contract with you, or
• a substantial public-interest or safeguarding reason

Safeguarding: If we believe there is a risk of harm to you or others, we may share information with appropriate authorities in line with our safeguarding responsibilities.

NHS National Data Opt Out

If you are an NHS patient, you may opt out of your confidential information being used for research and planning. For more information, visit NHS National Data Opt-Out.

International Data Transfers

We occasionally use trusted administrative service providers based outside the United Kingdom (e.g., for appointment scheduling and billing support).

When this involves identifiable patient data, we only transfer the information if:

1. the destination country is covered by a UK "adequacy decision"; or
2. we have put in place appropriate safeguards, such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

These safeguards contractually require the overseas provider to apply UK-equivalent security, confidentiality, and patient-rights protections. Further details of current transfer arrangements and copies of the safeguards are available on request from our Data Protection Officer.

Security Infrastructure

We protect your information using:

• Secure, encrypted electronic health record systems
• Secure hosting environments compliant with national healthcare standards
• Multi-factor authentication and individual user credentials
• Comprehensive audit logging
• Data encryption in storage and transmission
• Secure communication protocols
• Up-to-date anti-malware, firewalls, and password management
• Role-based access controls and secure remote access

Records Management

We retain your clinical records for a minimum of 8 years after your last treatment, in line with national guidelines. After this period, records are securely destroyed using certified digital deletion and controlled destruction for physical documents.

Patient Rights Framework

You have the following rights regarding your personal information:

• Right to be informed: About how your data is processed.
• Right of access: To your personal records (within one month of request and identity verification).
• Right to rectification: Of inaccurate or incomplete information.
• Right to erasure: Where appropriate, noting statutory retention requirements for healthcare records.
• Right to restrict processing: In certain circumstances.
• Right to data portability: In a structured, machine-readable format.
• Right to object: To certain types of processing.
• Right not to be subject to automated decision-making: With significant effects.

To exercise your rights, please contact us using the details above. All requests are handled professionally and will not affect your care.

Breach Management

We have a robust incident response process for data breaches, including:

• Immediate escalation and containment
• Thorough investigation and risk assessment
• Notification to regulatory authorities (e.g., ICO) where required
• Prompt notification to affected individuals with details and support
• Documentation and analysis to prevent recurrence

Communication Security

• Telephone: Identity verification protocols
• Email and messaging: Secure channels and content minimisation in non-secure communications
• Online services: Encrypted web communications
• Remote consultations: Encrypted telehealth platforms, with recordings made only with explicit consent

Professional Standards

All staff:

• Sign confidentiality agreements as a condition of employment
• Receive regular data protection and information governance training (aligned with NHS standards)
• Undergo annual competency assessments
• Are subject to disciplinary action, including potential dismissal and regulatory reporting, for policy breaches

Policy Updates

This privacy policy undergoes periodic review to maintain regulatory alignment and operational relevance. Substantive revisions will be published through appropriate channels with direct communication for significant changes.

Regulatory Recourse

While we encourage direct communication regarding data protection concerns, you have the right to escalate unresolved issues to the Information Commissioner's Office:

If you need this notice in another format or language, please let us know.